zergboard-skill
Fail
Audited by Snyk on May 15, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The prompt instructs users to run a login command with a plaintext --password argument and to copy the API token verbatim into a local config.json, which requires handling and embedding secret values directly (high exfiltration risk).
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's runtime code (zergboard_skill.py) and SKILL.md show it makes HTTP requests to the Zergboard API (default https://zergboard.fly.dev) to fetch user-generated content — boards, cards, descriptions, and comments — which the tool consumes and uses to resolve targets and drive actions (e.g., resolve_board/resolve_card, comments, create/update/move), so untrusted third-party content can materially influence behavior.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata